Listen to this Post
DOs:
1. Use Official Images
Always rely on validated Docker images from official repositories.
docker pull ubuntu:20.04
2. Specify Base Image Version
Avoid using `latest` tag to prevent unexpected updates.
FROM python:3.9-slim
3. Secure Image Builds with Multi-Stage
Reduce attack surface by discarding build dependencies.
FROM golang:1.18 AS builder WORKDIR /app COPY . . RUN go build -o myapp FROM alpine:latest COPY --from=builder /app/myapp /usr/local/bin/ CMD ["myapp"]
4. Prefer `COPY` Over `ADD`
`COPY` is more transparent and predictable.
COPY ./src /app/src
5. Parameterize Builds with `ARG`
Use build-time variables for flexibility.
ARG APP_VERSION=1.0
ENV APP_VERSION=${APP_VERSION}
6. Set `WORKDIR` Early
Define working directory before `COPY`/`RUN`.
WORKDIR /app COPY . .
DON’Ts:
1. Ignore Image Efficiency
Avoid unnecessary layers—combine `RUN` commands.
RUN apt-get update && apt-get install -y curl && rm -rf /var/lib/apt/lists/
2. Overload Build Context
Use `.dockerignore` to exclude unwanted files.
.log .git
3. Hardcode Credentials
Use Docker secrets or environment variables.
docker run -e DB_PASSWORD=secret myimage
4. Run as Root
Always use a non-root user.
RUN useradd -m appuser && chown -R appuser /app USER appuser
5. Create Multipurpose Containers
Follow the “one process per container” rule.
6. Omit `ENTRYPOINT`
Define `ENTRYPOINT` for consistent execution.
ENTRYPOINT ["python"] CMD ["app.py"]
You Should Know:
Security Hardening Commands
- Scan images for vulnerabilities:
docker scan ubuntu:20.04
- Remove unused images:
docker image prune -a
- Inspect image layers:
docker history myimage
Linux Commands for Docker Debugging
- Check container processes:
docker top <container_id>
- Analyze container logs:
docker logs --tail 100 <container_id>
- Inspect network configuration:
docker inspect --format='{{.NetworkSettings.IPAddress}}' <container_id>
Windows Docker Commands
- Clean unused data:
docker system prune --volumes
- Run Windows container:
docker run -it mcr.microsoft.com/windows/servercore:ltsc2022 cmd
What Undercode Say:
Adopting these practices ensures lightweight, secure, and maintainable Docker images. Multi-stage builds and non-root users mitigate risks, while `.dockerignore` and layer optimization boost performance.
Expected Output:
A production-ready Docker image with:
- Minimal attack surface
- Version-pinned dependencies
- Non-root execution
- Efficient layer caching
Prediction:
Container security will increasingly integrate with Kubernetes-native tooling (e.g., Falco, Kyverno) for runtime enforcement.
URLs (if needed):
IT/Security Reporter URL:
Reported By: Parasmayur Learning – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
